Cybersecurity experts warn businesses that detected or not, there is someone lurking within their networks doing things they are not supposed to do. There are seven different insider threats that required detection to prevent data breaches like those at Equifax, Uber, and the SEC.
Interset puts the power back in the hands of the SOC by revealing insider threats that are often overlooked by rules- and threshold-based systems and helping mitigate the impact of data breaches and loss of critical IP. Using advanced mathematical models and unsupervised machine learning, Interset reveals key indicators of insider threats, such as account misuse, compromised accounts, infected host, internal recon, lateral movement, insider fraud, and data exfiltration.
Data breaches involve multi-stage advanced persistent threats (APT), which are difficult to detect with rules and thresholds based systems. Interset security analytics uncover the hidden threats at different phases of the attack cycle.
For example, security analytics detects abnormal behavior indicative of account misuse or account compromise. Typically this is followed by internal reconnaissance and likely lateral movement of data, ultimately resulting in a data breach.
Infected hosts can also be a factor in data breaches if the system has been compromised to automatically send data externally, another case that security analysts can detect.
Finding signs of these insider threats and connecting the dots between them is critical to protecting enterprises and consumers from criminal minds.
An analytics-based approach checks application log files for unusual access patterns, network traffic for signs of suspicious connections, data protection logs for transfers of large chunks of data, and additional factors when available. It then runs an integrated mathematical analysis of these multiple factors together to provide indicators of an account takeover or compromise.
The contextual correlation and analysis of data give security analytics the ability to detect threats operating inside the business.
There is a distinction between an ‘insider threat’ and an ‘inside threat.’ An insider is an entity within an organization, such as a disgruntled employee with the ability to do damage to the business from within. An external attacker, however, can also do damage from within a business (i.e., when malicious software is used to gain access to an enterprise via a phishing attack). In such a case, the attacker can gain control over a legitimate user’s credentials and move laterally within the targeted organization. The attacker is not an insider, but once penetrated, and with that level of access, the threat has moved ‘inside.’ Such an attacker often goes to some lengths to avoid raising alarms by performing any activity not already permitted by IT policy, and thus often flies under the radar. The ability of an intruder to disguise himself or herself as a legitimate user necessitates a security analytics approach.
When surveyed, enterprises shared their concerns:
According to the 2019 Verizon Data Breach Investigations Report, insider threats continue to play a role in today’s data breaches. The report found that:
To make matters worse, 56% of breaches took months or longer to discover. Attack techniques are becoming more sophisticated and allowing for quicker time-to-compromise, which means that it’s critical for security teams and detection methods to be proactive and keep pace.
See how Interset UEBA detects and responds to real threats before your data is stolen by scheduling a demo with one of our security professionals.